Topic "adding a new SSH fingerprint alongside existing one"

Author Message
HappyChappy
[View user's profile]

Joined: 2016-06-08
Posts: 9
Hi,

We SFTP to another client on a daily basis. They have advised that they are going to be migrating their server over a weekend and as a result their SFTP server's fingerprint will change from its current value.

They ask that the new fingerprint is added to our SFTP client's trusted key store ahead of the migration date. This will ensure that our connection is not blocked by our SFTP client when the fingerprint changes. They have supplied the new fingerprint "ssh-rsa 1024 1x:11:xx:xx:80:74:a2:c9:59:yy:bb:0p:78:d8:bd:u2"

Is there a way I can add this new fingerprint in along side the existing one so that the migration can be as seamless as possible?

Thanks,

HappyChappy
Advertisements
Chris David
[View user's profile]

Joined: 2016-08-23
Posts: 14
HappyChappy wrote:
Hi,

We SFTP to another client on a daily basis. They have advised that they are going to be migrating their server over a weekend and as a result their SFTP server's fingerprint will change from its current value.

They ask that the new fingerprint is added to our SFTP client's trusted key store ahead of the migration date. This will ensure that our connection is not blocked by our SFTP client when the fingerprint changes. They have supplied the new fingerprint "ssh-rsa 1024 1x:11:xx:xx:80:74:a2:c9:59:yy:bb:0p:78:d8:bd:u2"

Is there a way I can add this new fingerprint in along side the existing one so that the migration can be as seamless as possible?

Thanks,

HappyChappy


I think you have the ability to provide multiple fingerprints each needing to be separated by a semi-colon.
martin
[View user's profile]
Site Admin
Joined: 2002-12-10
Posts: 25015
Location: Prague, Czechia
It's not clear, if you refer to script, GUI, or what?

If script, as Chris already wrote, you can separate multiple hostkeys using semicolon:
https://winscp.net/eng/docs/scriptcommand_open#hostkey
HappyChappy
[View user's profile]

Joined: 2016-06-08
Posts: 9
guys, thanks Smile it is script so that should work for me, thanks!
HappyChappy
[View user's profile]

Joined: 2016-06-08
Posts: 9
spoke to soon:

I got error in log: Script: Unknown command '1024'

code is like:

%SECUREFTP% /log="E:\Client\Logs\test.log" /command "option batch abort" "open -timeout=60 sftp://Username:Password@111.111.111.1:22/test/ -hostkey="ssh-rsa 1024 x2:v4:n6:f8:z1:c3:65:77:45:32:98:8b:7b:09:9j:s0";"ssh-rsa 1024 g5:v4:n6:p8:z1:c3:88:77:45:xj:98:8b:7b:h9:9j:s0"" "put -transfer=ascii -nopreservetime -nopermissions -delete "E:\Host\Primary\Test\fingerprinttest.csv"" "exit"
Chris David
[View user's profile]

Joined: 2016-08-23
Posts: 14
HappyChappy wrote:
spoke to soon:

I got error in log: Script: Unknown command '1024'

code is like:

%SECUREFTP% /log="E:\Client\Logs\test.log" /command "option batch abort" "open -timeout=60 sftp://Username:Password@111.111.111.1:22/test/ -hostkey="ssh-rsa 1024 x2:v4:n6:f8:z1:c3:65:77:45:32:98:8b:7b:09:9j:s0";"ssh-rsa 1024 g5:v4:n6:p8:z1:c3:88:77:45:xj:98:8b:7b:h9:9j:s0"" "put -transfer=ascii -nopreservetime -nopermissions -delete "E:\Host\Primary\Test\fingerprinttest.csv"" "exit"



As mentioned, each fingerprint needs to be separated by a semi-colon, but the ENTIRE set of fingerprints only requires one open and one close quote.

It should look something like this (where key#1 and key#2 are the actual keys you wanted to use):

"ssh-rsa 1024 key#1;ssh-rsa 1024 key#2"
HappyChappy
[View user's profile]

Joined: 2016-06-08
Posts: 9
same error Confused Sad

changed code to

getting same error Confused Sad

changed code to

%SECUREFTP% /log="E:\Client\Logs\test.log" /command "option batch abort" "open -timeout=60 sftp://Username:Password@111.111.111.1:22/test/ -hostkey="ssh-rsa 1024 x2:v4:n6:f8:z1:c3:65:77:45:32:98:8b:7b:09:9j:s0;ssh-rsa 1024 g5:v4:n6:p8:z1:c3:88:77:45:xj:98:8b:7b:h9:9j:s0"" "put -transfer=ascii -nopreservetime -nopermissions -delete "E:\Host\Primary\Test\fingerprinttest.csv"" "exit"

& still get error

. 2016-10-13 15:40:16.994 Startup conversation with host finished.
< 2016-10-13 15:40:16.994 Script: Active session: [1] Username@111.111.111.1
> 2016-10-13 15:40:16.995 Script: 1024
< 2016-10-13 15:40:16.995 Script: Unknown command '1024'.
. 2016-10-13 15:40:16.995 Script: Failed
. 2016-10-13 15:40:16.995 Script: Exit code: 1
. 2016-10-13 15:40:16.995 Closing connection.
HappyChappy
[View user's profile]

Joined: 2016-06-08
Posts: 9
if i take out the -hostkey"<key>;<key>" it works fine
Chris David
[View user's profile]

Joined: 2016-08-23
Posts: 14
HappyChappy wrote:
same error Confused Sad

changed code to

getting same error Confused Sad

changed code to

%SECUREFTP% /log="E:\Client\Logs\test.log" /command "option batch abort" "open -timeout=60 sftp://Username:Password@111.111.111.1:22/test/ -hostkey="ssh-rsa 1024 x2:v4:n6:f8:z1:c3:65:77:45:32:98:8b:7b:09:9j:s0;ssh-rsa 1024 g5:v4:n6:p8:z1:c3:88:77:45:xj:98:8b:7b:h9:9j:s0"" "put -transfer=ascii -nopreservetime -nopermissions -delete "E:\Host\Primary\Test\fingerprinttest.csv"" "exit"

& still get error

. 2016-10-13 15:40:16.994 Startup conversation with host finished.
< 2016-10-13 15:40:16.994 Script: Active session: [1] Username@111.111.111.1
> 2016-10-13 15:40:16.995 Script: 1024
< 2016-10-13 15:40:16.995 Script: Unknown command '1024'.
. 2016-10-13 15:40:16.995 Script: Failed
. 2016-10-13 15:40:16.995 Script: Exit code: 1
. 2016-10-13 15:40:16.995 Closing connection.


I know this doesn't solve your multiple fingerprint issue, but use the EXACT same command line, but as a test, revert to using only ONE fingerprint to see if you still have an error message.
Chris David
[View user's profile]

Joined: 2016-08-23
Posts: 14
HappyChappy wrote:
if i take out the -hostkey"<key>;<key>" it works fine


Just to add. The web page below:

https://winscp.net/eng/docs/commandline

clearly states that it can be done:

"Parameter /hostkey specifies fingerprint of expected SSH host key (or several alternative fingerprints separated by semicolon). It makes WinSCP automatically accept host key with the fingerprint."

Your problem is most likely elsewhere in that entire command line (it doesn't look correct to me just by seeing double quotes in certain places for example).
HappyChappy
[View user's profile]

Joined: 2016-06-08
Posts: 9
got it Smile

according to the link above you posted: "any script command argument that includes spaces is expected to be surrounded by double-quotes within the command"

so I changed the code to (triple quotes in a row Smile ):

%SECUREFTP% /log="E:\Client\Logs\test.log" /command "option batch abort" "open -timeout=60 sftp://Username:Password@111.111.111.1:22/test/ -hostkey=""ssh-rsa 1024 x2:v4:n6:f8:z1:c3:65:77:45:32:98:8b:7b:09:9j:s0;ssh-rsa 1024 g5:v4:n6:p8:z1:c3:88:77:45:xj:98:8b:7b:h9:9j:s0""" "put -transfer=ascii -nopreservetime -nopermissions -delete "E:\Host\Primary\Test\fingerprinttest.csv"" "exit"

and it works now!

Thanks for the pointers guys
Chris David
[View user's profile]

Joined: 2016-08-23
Posts: 14
HappyChappy wrote:
got it Smile

according to the link above you posted: "any script command argument that includes spaces is expected to be surrounded by double-quotes within the command"

so I changed the code to (triple quotes in a row Smile ):

%SECUREFTP% /log="E:\Client\Logs\test.log" /command "option batch abort" "open -timeout=60 sftp://Username:Password@111.111.111.1:22/test/ -hostkey=""ssh-rsa 1024 x2:v4:n6:f8:z1:c3:65:77:45:32:98:8b:7b:09:9j:s0;ssh-rsa 1024 g5:v4:n6:p8:z1:c3:88:77:45:xj:98:8b:7b:h9:9j:s0""" "put -transfer=ascii -nopreservetime -nopermissions -delete "E:\Host\Primary\Test\fingerprinttest.csv"" "exit"

and it works now!

Thanks for the pointers guys


You do realize that double quotes means this -> "

It does NOT mean this -> ""

Even if the command line is working, there is still something that looks very odd about it. I don't use command line scripts for what I do, I use the NET assembly, but if you gave me a temporary username/password I would be able to figure it out. Nonetheless, if you are happy with what you have then don't worry about it. Take care.
martin
[View user's profile]
Site Admin
Joined: 2002-12-10
Posts: 25015
Location: Prague, Czechia
Your solution with double double-quotes is correct.
See https://winscp.net/eng/docs/commandline#syntax

Actually you had to have these even with a single host key.
Advertisements

You can post new topics in this forum






Search Site

What is WinSCP?

It is award-winning SFTP client, SCP client, FTPS client and FTP client integrated into one software program for file transfer to FTP server or secure SFTP server. [More]

And it's free!

Donate

About donations

$9   $19   $49   $99

About donations

Recommend

WinSCP Privacy Policy

WinSCP License